The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
2. What is HIPPA Act?
• Health insurance portability and accountability act of 1996 was
enacted by the United States congress and signed by President
Bill Clinton in 1996
• HIPPA is the first comprehensive Federal protection for the
privacy of Personal identifiable information(PII)
• 45 CFR 160 and 45 CFR 164 list all the applicable HIPPA rules
28-04-2022 2
3. Health Insurance Portability and Accountability Act
(HIPAA)
• This legislation was designed to protect the confidentiality of
individual health care records, including those generated by
pharmacy
• It is intended to ensure that a consumer’s personal identifiable
information(PII) will not be openly disclosed without his or her
knowledge
28-04-2022 3
4. What is Personal identifiable information?
• As the name implies , Personal identifiable information(PII)
is any data that can identify a person
• Certain information are always considered PII like
• Full name
• Date of birth
• Address
• Biometric data
28-04-2022 4
6. What comes under PII
• Name
• Address and DOB of patient
• Telephone numbers
• Facsimile (FAX)numbers
• Electronic mail addresses (e-mail)
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
28-04-2022 6
7. • Account numbers
• Certificate / license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web universal resource locators (URLs)
• Internet protocol (IP) address numbers
• Biometric identifiers, including fingerprints and voiceprints
• Full-face photographic images and any comparable images
28-04-2022 7
8. What if PII get disclose ??
• Then it is going to have negative impact of human
participant and will disrupt their normal routine
• SOCIAL LIFE
• ECONOMICAL
• MENTAL
28-04-2022 8
9. • The HIPPA privacy rule provides Federal privacy protections for
individually identifiable health information called protected health
information or PHI, held by most health care providers and health plans
and their business associates
• The HIPPA privacy rule sets out how and with whom PHI may be shared
• The HIPPA privacy rule also gives individuals certain rights regarding their
health information , such as the rights to access or request corrections to
their information
28-04-2022 9
10. Each practice site must designate an individual as the privacy
official(coordinator)
This person is responsible for
• maintaining policies and procedures,
• receiving privacy related complaints,
• providing information about the privacy practices and procedures at
your institution
28-04-2022 10
11. Five key principles in the HIPAA Privacy Rule are:
• Notification
• Authorization and Consent
• Limited Use and Disclosure
• Auditing and Accounting
• Access
28-04-2022 11
12. Notification - Patients should receive a notice of a
covered entity’s privacy practices
28-04-2022 12
13. Authorization and Consent - Written authorization is
required for disclosures not permitted under the Privacy
Rule
28-04-2022 13
14. Limited Use and Disclosure - Covered entities must use or
disclose the minimum necessary PHI for a specific purpose
and ensure the development and implementation of
policies and procedures governing access and use
PHI-protected health information
28-04-2022 14
15. Auditing and Accounting - Patients have the right to an
accounting of all disclosures of their PHI for non-allowed
HIPAA operations
PHI-protected health information
28-04-2022 15
16. Access - Patients have the right, under most circumstances,
to access the covered entity’s(their own records) designated
record set.
Covered entities must amend information that is inaccurate
or incomplete
28-04-2022 16
17. What records must be kept confidential?
• 45 CFR 46 provides protections for the confidentiality of research participants as
follows:
• Subpart A - basic protections of human research participants
• Subpart B - additional protections for research participants that are pregnant ,
women, fetuses , neonates
• Subpart C - additional protections for research participants that are prisoners
involved biomedical and behavioral research
• Subpart D - additional protections for research participants that are children
28-04-2022 17
18. Following condition in which HIPPA allow
disclose of PII
• When the disclosure is required by law
• For public health activities (e.g. prevention or control of
disease, notification of adverse drug events)
• In case of abuse , neglect or domestic violence
• For health care oversight activities authorized by law or
regulations
• For judicial and administrative purposes ( e.g. a court order ,
subpoena or warrant)
• To a law enforcement official for law enforcement purposes
28-04-2022 18
19. • To a coroner , medical examiner or funeral director when the
information concerns a deceased person
• For cadaveric organ ,eye and tissue donation
• For research purposes
• To avert a serious threat to health or safety
• For national security or intelligence activities
• For workers compensation purposes
28-04-2022 19
20. Best practices to follow HIPPA rule
• Substitute codes for information that identifies the participant(e.g. use
numbers instead of names to identify participants )
• Remove face sheets that contain identifiers, such as names and
addresses
• Properly dispose to all paper documents that contain identifiers
• Limit access to all data that identifies participants
• Educate research staff on the importance of maintaining
confidentiality
• Store paper records in locked cabinets and password for e-content
• Assign security codes to computerized records
28-04-2022 20